• 7

Running php-fpm with different user group using umask

Running php-fpm with different user group using umask

Running php-fpm with different user group using umask

Running php-fpm with different user group using umask

The aim of this tutorial is to get a working configuration for Running php-fpm with different user group using umask.
As Webserver you can choose between Apache2 and Nginx.
The Webserver (Apache2/Nginx) daemon process will run as www-data and all the requests that needs PHP processing will run as youruser:yourgroup.
We will use umask: 002. so our new created folders permissions will get 775 and files will get 664. file and directories will belong to youruser:yourgroup and so we will extend the group membership of yourgroup to our existing www-data user. This kind of setup makes it possible that each php-fpm pool and webdirectory/virtualhost can have its own user and group while we leave Webserver user:group untouched. All the steps in this tutorial i described are based on target OS Debian 8.

 

Prerequisites:

  • A working Apache2 or Nginx Webserver Installation running on Debian 8 or newer.
  • A functional PHP5-FPM Installation with PHP5 or PHP7.
  • Texteditor (vi, joe, nano) of your choice.

 

For Apache2:

vi /etc/apache2/envvars
Add following in the first line of the file:
umask 002

then restart apache2: systemctl restart apache2

For Nginx:

cp /lib/systemd/system/nginx.service /etc/systemd/system/
vi /etc/systemd/system/nginx.service
Add: UMask=0002 in [Service] section.
systemctl daemon-reload

then restart nginx: systemctl restart nginx

Now let’s change our PHP5-FPM settings by adding our custom user:group to /etc/php5/fpm/pool.d/www.conf config file:

vi /etc/php5/fpm/pool.d/www.conf
user = youruser
group = yourgroup

then we save our systemd scripts to a persistent place (prevent scripts from overwriting on system updates) to modify them:

For PHP5:

cp /lib/systemd/system/php5-fpm.service /etc/systemd/system/
vi /etc/systemd/system/php5-fpm.service
Add: UMask=0002 in [Service] section.
systemctl daemon-reload
systemctl restart php5-fpm

For PHP7:

cp /lib/systemd/system/php7.0-fpm.service /etc/systemd/system/
vi /etc/systemd/system/php7.0-fpm.service
Add: UMask=0002 in [Service] section.
systemctl daemon-reload
systemctl restart php7.0-fpm

Add www-data user to yourgroup:

usermod -a -G yourgroup www-data

Create the website base directory structure:

chown -R youruser:yourgroup /var/www/yourwebdir
chmod g+s /var/www/yourwebdir
find /var/www/yourwebdir -type f -exec chmod 664 {} \;
find /var/www/yourwebdir -type d -exec chmod 2775 {} \;

And all should function properly.

Bonus:
There is also an GECOS field in /etc/passwd which you can use for your login accounts to force the umask when creating files and directories by sftp/shell.

To add this enter following command:

chfn --other='umask=0002' YourUsername
Rating: 4.4/5. From 7 votes.
Please wait...
Jules

Jules

Jules is the owner and author of ISPIRE.ME. He's a Linux System Engineer, Tech fanatic and an Open Source fan.

You may also like...

7 Responses

  1. Neoblaster Neoblaster says:

    Hi,

    Thanks you very much for this “how to”.
    I search a long time before i found you tuto.

    I follow instructions and that works perfectly !

    I don’t really understood what i done with systemctl & service files but i will make some researches later 😉

    Regards,
    Neoblaster.

    Rating: 4.3/5. From 3 votes.
    Please wait...
  2. Jules Jules says:

    You’re welcome! 🙂

    No votes yet.
    Please wait...
  3. NeuCorP NeuCorP says:

    THANKS, for this article 🙂

    Rating: 5.0/5. From 1 vote.
    Please wait...
  4. Lenny Lenny says:

    Downside of this approach is if the original file gets updated the changes won’t appear in your copy config file.
    The recommended way is to simply create an override file.
    e.g.
    mkdir /etc/systemd/system/php5-fpm.service.d
    vi /etc/systemd/system/php5-fpm.service.d/custom.conf
    and just add the below

    [Service]
    UMask=0002

    save and reload systemd. jobs a good’en.

    Rating: 5.0/5. From 1 vote.
    Please wait...
    • Jules Jules says:

      That might be the way for most users. I preffer using own service files, since my service files differ from maintained service file mostly.

      No votes yet.
      Please wait...
  5. Copinmalin Copinmalin says:

    Merci beaucoup, tu m’as sauvé 🙂

    No votes yet.
    Please wait...
  6. JimDeadlock JimDeadlock says:

    I’m late to the party but just wanted to say thanks, this works like a charm and is much easier than the other method of messing around with virtualhosts which has been giving me a headache for hours.

    No votes yet.
    Please wait...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.